Vice-President of the European Commission responsible for the Digital Agenda

Online privacy and online business: An update on Do Not Track

The Centre for European Policy Studies (CEPS)/Brussels,

11 October 2012

Thank you for inviting me today.

Online privacy and online business need to go hand in hand. Privacy is a fundamental right; if your idea doesn't work with that, it won't work at all. Because people won't use what they don't trust. And they will stop using what they learn to distrust. If that happens, online businesses miss out on a huge opportunity of new and bigger markets.

We need a corporate culture that respects its customers and their privacy. Being transparent: making all citizens aware what's at stake, and which tools they can use. So today I want to say to those involved in Online Behavioural Advertising self-regulation here in Europe: well done for reaching another milestone and launching the legal entity governing your programme this week. The signatories deserve praise and encouragement for going in the right direction. You have worked hard, and have done well.

Of course, we also need a corporate culture that respects our legal privacy rules which go beyond transparency. The new provisions in the ePrivacy directive, the so-called "cookie rules", require informed consent before information is stored or accessed on a user's device, their computer or smartphone. Including when somebody wants to store or access cookies for advertising or other tracking purposes. All providers need to respect and implement these rules.

Over a year ago I set out how industry should deal with them. At the time stakeholders were just waking up to the issue; by now, those rules are in force in almost all Member States.

The Digital Agenda is about helping online business to grow. And it's about an open Internet where innovation can continue to change our world. So we are not agnostic as to how industry implements the cookie rules: this is important to our goals. And that's why, in June last year, I urged all interested parties to come to the standardisation table, and agree a Do Not Track standard, or "DNT". A standard making it simple for Internet users to say "don't track me"; and describing how websites should respect this choice.

It's not hard to see how DNT can help with cookie consent – and help the Digital Agenda. Put simply, DNT can be a universal mechanism to communicate relevant consent – or lack of consent. It should apply to tracking via cookies, and also by other means. It should apply to all network devices and applications, independently of the purpose of tracking. It should “work on the web”, be scalable globally, and in keeping with the end-to-end principle.

That was my challenge to industry. Just over a year later, it's time to assess progress.

Several browser manufacturers have quickly incorporated the emerging DNT: and that's positive.

But let me be frank: standardisation work is not going according to plan. In fact, I am increasingly concerned. About the delay, and about the turn taken by the discussions hosted by the World Wide Web Consortium (W3C). I think that won't come as a surprise to you. And I know that my colleagues across the Atlantic, at the Federal Trade Commission, feel the same.

What is the problem? Top of my list comes the watering down of the standard.

I said it last June, and I said it in January. Loud and clear. But, for the avoidance of doubt, I will say it again today: the DNT standard must be rich and meaningful enough to make a difference, when it comes to protecting people's privacy.

It should build on the principle of informed consent, giving people control over their information.

And, indeed, it must be designed to let people choose to not be tracked. The clue is in the name: do NOT track.

So, let me spell out some specific concerns.

First, how users are informed about default settings in their software and devices. That's a crucial aspect: is the default option to allow tracking, or to decline consent? The Commission services were very clear on this point in their letter to the W3C: at installation or first use, users must be informed about the importance of their DNT choice. They must betold about any default setting; and prompted to keep or to change it. Because without that, most users aren't making an informed choice.

Second, the DNT standard should not let websites "second-guess" or disregard user choices. Recently, there were reports about a popular web server introducing a feature that amounted to overriding the DNT signal; in effect, ignoring users' wishes. I find that troubling, and undesirable.

And third, what can be done without consent should be limited; and justifiable, in the light of the standard's overall aim. But the exceptions now on the table seem extremely broad. Jon Leibowitz, the FTC's Chairman, called them "a loophole you could drive a virtual truck through". And you can see why. Take the exception discussed for "market research". We need to be clearer, much clearer, about what that means, and how far it goes. Of course anonymisation, or privacy safeguards like retention limits, could mitigate here. But this cannot be an open-ended "get-out clause".

In short: there are many reasons for concern. Time is not on our side. So to all of those taking part in these discussions I say today: you need to find a good consensus – and fast.

Make no mistake. I am not naïve. The way the discussion is going right now shows that the DNT standard, on its own, will not guarantee satisfying legal cookie requirements. Not least because the emerging consensus appears to exclude first-party cookies from the scope.

But DNT is still useful and valuable.

The fact is, we need, as far as possible, a simple and uniform way of addressing e-privacy – across different providers and different types of tracking. You shouldn't have every provider reinventing the wheel on this one.

Going the whole way would be better than going half way – of course! But going half the way together is better than leaving everyone on their own. Because it is a common approach, open and generative, fit for the global web.

But, if DNT only goes half way, providers will need to ensure legal compliance beyond that. There will be a delta, things providers need to do to get valid cookie consent; on top of or beyond implementing DNT.

So there should be a discussion about what that delta looks like in the EU Member States. Given the legal requirements and given the state of the standard. With the providers who will need to know the answer. And with the authorities enforcing ePrivacy, who will need to set out their position.

Not least, because DNT is already here with us. It's built into several browsers, and used by many Europeans. Therefore, today, in Europe, it already makes a difference whether DNT signals are sent. Do you think companies should get away with saying that they "don't understand the message", because DNT is not yet standardised, and continuing to place tracking cookies without consent? I don't.

So you won't be surprised to hear that the responsible authorities in the Member States are looking at how to enforce these ePrivacy rules. And I will put this topic on the agenda for their next meeting in the Article 29 Working Party, before the end of the year.

In short, nobody in Europe should want to see DNT standardisation stall or fail. It's in no-one's interest. The cookie consent rules will be enforced and providers will have to comply. Nobody wants users who can't trust the web; nobody wants expensive ad-hoc solutions; nobody wants to be sued for illegal tracking.

When I say this is in everyone's interest, I mean everyone. Including American companies. Because if you want to track Europeans, you have to play by our rules. Our new data protection framework is crystal-clear on that point.Including online businesses. In the long term, the online economy won't grow if it acts against the grain, against the wishes of ordinary users, against their need for trust. And under such conditions, nor can online services prosper: including "freemium" services.

My conviction is simple: online privacy and online business don't just go very well together: they need each other. We need to understand online privacy more as a market in its own right. A market grounded in a respected legal framework. A market that benefits from transparency. A market that will specialise as it matures.

What does that mean? Well, ask yourself: does it make sense for every company to become expert in "big data", finding out what people like, want, think, from their digital traces? Does it make sense for every online company to track past, current and future users online? Would that be cost-effective? Well, not necessarily. And that is why I am expecting new business models in this space. For example services that track and profile on the user's behalf and under the user's control; services that make information available, to advertisers and others, with the user's consent and yes, why not, for payment.

As we have learned from the advertising sector itself: consumers don't mind advertising; not even the more targeted kind. What they do mind is the proliferation of profiles about themselves. Give them knowledge and give them control, and everything is possible.

To sum up:

A sound DNT standard will be successful. I have no doubt about that.

But I am worried about the soundness of what we are getting – and about the slow speed. Failing to deliver would mean everyone loses. Users miss out on an easy way to protect their privacy, websites miss out on a simple and user-friendly way to comply with consent requirements. And, ultimately, advertisers lose out, too.

So let's avoid that scenario. I am convinced that a rich standard is still possible. One that avoids the pitfalls I've mentioned. I realise it may take a few additional months, but it is still, at the moment, the best outcome for everyone.

But time is running out: this is the last opportunity. We must act quickly, and make DNT available to all Internet users.

And then, we can concentrate on growing the online economy, and online privacy, together: WITH users, and not against them.